Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Is it really gone?


  • Please log in to reply
8 replies to this topic

#1 grdsh

grdsh

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:14 AM

Posted 17 July 2009 - 12:26 PM

I had a rootkit (uacutil.dll) which I removed with the help of Bleeping Computer (many thanks JAT90!). At first I thought I would re-format after the rootkit was "removed," but that turns out to be impractical. I know that there is no absolute assurance that the computer will not continue to have security risks associated with its use, but short of re-formatting, what can I do to to ensure, to the best possible extent, that the rootkit is really gone? Ad-aware, Spybot and McAfee all now say that the computer is clean.

BC AdBot (Login to Remove)

 


m

#2 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:14 PM

Posted 17 July 2009 - 12:30 PM

Please subscribe to your topic so that you will be notified as soon as I post a reply, instead of you having to check the topic all of the time. This will allow you to get an email notification when I reply.

To subscribe, go to your topic, and at the top right hand corner by your first post, click the Options button and then click Track this topic. The bullet the immediate notification bubble. Then press submit.



Lets take a look with Malwarebytes

Please download Malwarebytes' Anti-Malware from here:
Malwarebytes
Please rename the file BEFORE downloading to zztoy.exe instead of mbam-setup.exe

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

Double Click zztoy.exe to install the application.
* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Full Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy&Paste the entire MBAM report (even if it does not find anything) in your next reply

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.


If Malwarebytes won't install or run

Some types of malware will disable MBAM and other security tools. If MBAM will not install, try renaming it. Right-click on the mbam-setup.exe file and change the .exe extension to .bat, .com, .pif, or .scr and then double-click on it to run.

If after installation, MBAM will not run, open the Malwarebytes' Anti-Malware folder in Program Files, right-click on mbam.exe and change the .exe as noted above. Then double-click on it to run.
Computer Pro

#3 snowdrop

snowdrop

  • Members
  • 513 posts
  • OFFLINE
  •  
  • Local time:11:14 PM

Posted 17 July 2009 - 12:49 PM

I had a rootkit (uacutil.dll) which I removed with the help of Bleeping Computer (many thanks JAT90!). At first I thought I would re-format after the rootkit was "removed," but that turns out to be impractical. I know that there is no absolute assurance that the computer will not continue to have security risks associated with its use, but short of re-formatting, what can I do to to ensure, to the best possible extent, that the rootkit is really gone? Ad-aware, Spybot and McAfee all now say that the computer is clean.


if you note the comment ON your HJT log thread

http://www.bleepingcomputer.com/forums/ind...t&p=1319708


Rootkits are very dangerous because they compromise system integrity by making changes that allow it to by used by the attacker for malicious purposes. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Remote attackers use backdoors as a means of accessing and taking control of a computer that bypasses security mechanisms. This type of exploit allows them to steal sensitive information like passwords, personal and financial data which is send back to the hacker



Although the rootkit was identified and removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that because this malware has been removed the computer is now secure.



the only way to be sure it IS gone IS to reformat ; anything else is really a compromise ;

I guess the question is..............

are YOU happy to run your computer and do Banking etc knowing you may still HAVE remnants OF that infection on the computer that cannot be removed expect BY a reformat?

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,270 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:14 PM

Posted 17 July 2009 - 01:13 PM

Snow drop made the better answer.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 grdsh

grdsh
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:14 AM

Posted 17 July 2009 - 03:08 PM

Here is the log:

Malwarebytes' Anti-Malware 1.39
Database version: 2452
Windows 5.1.2600 Service Pack 3

7/17/2009 3:57:47 PM
mbam-log-2009-07-17 (15-57-47).txt

Scan type: Full Scan (C:\|)
Objects scanned: 225537
Time elapsed: 37 minute(s), 52 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\{4d25f926-b9fe-4682-bf72-8ab8210d6d75} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,270 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:14 PM

Posted 17 July 2009 - 03:15 PM

What antivirus,Spware and firewall are running on here?
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 grdsh

grdsh
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:14 AM

Posted 17 July 2009 - 06:11 PM

I downloaded the Malwarebytes program, let it update itself and then disconnected from the Internet. Then I turned off McAfee and ran Malwarebytes. I have Spybot and Ad-aware, but they do not run automatically in my current setup. The computer, for now and probably into the future, will be on line only when absolutely necessary. It eventually will be retired, when it won't be on line at all.

#8 snowdrop

snowdrop

  • Members
  • 513 posts
  • OFFLINE
  •  
  • Local time:11:14 PM

Posted 18 July 2009 - 01:41 AM

Can you please confirm that you are aware that Macaffeee is an antivirus program, and that



I have Spybot and Ad-aware, but they do not run automatically in my current setup.


are NOT antivirus programs but are nasties- finding programs?
Which firewall are you running?
Of interest, did you ( do you ) have the Spybot's Tea Timer enabled?


Please do take heed of the warning that the computer is now compromised from that infection and really cannot be trusted ever again :thumbsup:

#9 grdsh

grdsh
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:14 AM

Posted 18 July 2009 - 08:43 AM

I hear you. This computer will be put out of its misery as soon as I can do so.

I have the McAfee Security Center on it which has virus protection, spyware protection, system guard protection, script scanning protection and a firewall, all enabled.

Thanks for the reminder on Tea Timer. I am turning it on today.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users